ModSecurity: Impacting setup / redirects to homepage

[jamesozzie]

Bug Description

Some users are experiencing issues with Site Kit setup, even with the proxy based setup solution.

While temporarily deactivating ModSecurity can allow setup to proceed in some cases asking users to temporarily deactivate is not ideal and in many cases not possible (for shared hosting solutions).

Below is an example of an error log provided by one hosting provider, shared by one user on the WordPress support forum.

[Fri Jan 31 15:25:57.523701 2020] [:error] [pid 6226:tid 47032615163648] [client 173.238.17.22:55491] [client 173.238.17.22] ModSecurity: Access denied with code 403 (phase 2). Matched phrase “.profile” at ARGS:scope.
[file “/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/08_Global_Other.conf”] [line “57”] [id “210580”] [rev “2”] [msg “COMODO WAF: OS File Access Attempt||hsjcc.on.ca|F|2”] 
[data “Matched Data: .profile found within ARGS:scope: email profile https:/www.googleapis.com/auth/analytics.edit https:/www.googleapis.com/auth/analytics.manage.users https:/www.googleapis.com/auth/analytics.readonly https:/www.googleapis.com/auth/analytics https:/www.googleapis.com/auth/webmasters https:/www.googleapis.com/auth/siteverification openid https:/www.googleapis.com/auth/userinfo.profile https:/www.googleapis.com/auth/userinfo.email”] 
[severity “CRITICAL”] [tag “CWAF”] [tag “Other”] [hostname “hsjcc.on.ca”] [uri “/”] [unique_id “XjSNVflO8akEWI8rkj-bDAAAAAE”], referer: https://accounts.google.com/signin/oauth/consentsummary?authuser=0&part=AJi8hAOPA9IrSpWL4k_Kj6u9T0v1uOzCSjgzj4yksVDaKVTcFTtp0wcuQXBHyvDKNjn_Jz8xSI4PNPSUP2rzMav_FfnBbu5tTffq-2rfJpnsw1LFdsEzIoyicccOgkw2VnnAuoAnGivyS4LXyEwy6l5Wn7z5NmRuRfLAuZOsWBBqQpEChBGCXDA35k43dKeeDNOa5iz61KN_F6N-FTC2AbftPNWJa0lawJ-0XU4kXU29KLjgUwponrgFI6HjJjHt3cgMEQ7KtGAOY9M4ioUppDKtnO-nw8I7fdmtMOy6ecwetDa_MVfz8ftor9DsmbywC67_NnOKxZS4LaqTYRS4EPK7coiFr6y1Gcxw8n4S_2oQzseSDC_dgk5aVePv_gGZnorYUPqd1r80KbJgqIq6hg9aqO_ihae-o1lZk40Unte-x29SLChdNzo51icQ_LxeKR2YvIhlVmpRo_PkKzH8GlwFrQ58kHLlLk3Z3y3_yY7CkhKZQi3HvYurZnIFvKT80Vb_PuSK55e-2V4VYJu8WISLqMqhzYSKDT4IWSCLt1N-DNKj8nIQA2F9wg6a9hwISQtFNprM1wC8q3CWoXaf_tuqwlQ-7HJ8ORHFcYPas6LiIfottLmFOr8SQNlZSXDsIk9PePz71TfOIJvtOkOFfLHSwmJa4YM5aTxi2Ks9XrkfB00IajWew80FP32S7bPxt0BI9Ra-EpzV17Xqmf1ARZn17Cp9iZVT0ENpCMOJTVTehXjAT23j-Isuu-5C1cshwS3qUwj_GgXwWEbmhWaOC-flhYylrStAxW09UUrRscCtjMvotfNjk-3KfcxxiL4PG1KxMz2Bk8ExazwTmEvDE2qxWJUaz0qehDkkB8j9oLZbW_WH_SBkPx6WtTjOfjYVmUzUllbRayzd0YiEZWFiPp_6DfWDKKcx80TcqXiiWFlOl7pegePW9cgysmdH0PD7j-VW9cMfwc_yrkx2b7221U5Lgf_r61oV0p3VktzdRqDf9imxXYi6_zFceXOzyfiJgMNQqapGAN7Wz2CgE0x5A2kZsLVLiZ93ZILHu0zBkEE5dRToXr9pd6fpi_ni1Z1sPCtnDcTTWxWup1r7X6hrUGtAMSWJMu1Pgo7rdQc3kDNsU_a7ZeAMMo3-W4l6aRJTplBj8_329zBd_mlKVEh18eaQpb6LdIXk7nNdgw5STieImLfi8MKHGR0dQo2kPZsERWKeq-Xy-RE5ctdYydlIqiq2N0xmUxO-htP-FmOAdNLkoh-BttzfcsKyBGXTi18zFJ9dRo30X6dBzjWuOJ9x4NuehsR4V8mCbksC7a01nCzFJG-aqOYVeYDz4JMBFeqpV1x_jGYuhT66kTVKZA0XHmwofYlXqond8UT2dufSDuU8517DHz97vsR6dljGL8JJOpMWOSC-xwT5-t7C6JPT2VR41GlpXk44R3t9ktmk_oCuFldvrlNpdAvoiyrFwruNoPO2Zf4wH9xYJtjb9hPwzgTp_g50EoNplhW59ritgFBaFKlXzJLASmIYjLVuQd48yYY95OSz-FH30-y4q8VrGedpG2BDGcsBiA8QWmpW57gOVFStCBAHvFKmBDppIWZhpAvAylMfT3eRrc_yGQ5smYyCKEpKjND5wZdfGJwWhA9-kGlm8m_svhG1BYXbmmJADYmQCFMa1gLJx6u7BQoNzZndf7NXEabpv29opSHTZlb1DLJ0mGBpuvQzPo4S6cdVg0JgiSxNVUL2i1UqzvFlPgp-ILgXghG5Bdbfruwt1Y3YzVm14rci0n90ILV08Wq0frGFT-z4TParcBaBYgeciXBX27GIBXzAyk-C3GvharDagOyghivpE3CXIyVg1LfyuIKK6POtARxfosDPYmVgC12PoJkGU1FBpBVcpyU_dmC_I-3YYcxl6TU&as=2ZC_b_ClWwEYMI-SkY3pBA&rapt=AEjHL4MDH7gjFKfrigw78cBYx0Z7HNLcWVulh-tiJnGEpSyMHpSEdzhQLH1lv3hy7_1DFdGu76l9S3uM9DwF7pGqZl2Jy66t-w&approvedScope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fanalytics.edit%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fanalytics.manage.users%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fanalytics.readonly%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fanalytics

Other related support topics:

• https://wordpress.org/support/topic/issues-completing-setup-or-you-need-to-reauthenticate-your-google-account/#post-12273763
• https://wordpress.org/support/topic/cant-log-in-with-google-when-i-setup-site-kit/
• https://wordpress.org/support/topic/site-kit-is-keep-taking-back-to-sign-in-with-google-in-sitekit-dashboard/
• https://wordpress.org/support/topic/e-categories-is-undefined/#post-12425177
• https://wordpress.org/support/topic/google-analytics-allow-button-redirects-to-my-site/#post-12450195

Another redirection occurrence reported by one user, this time with redirection to CentOS error page. Awaiting log files.

Screenshots

Additional Context

• PHP Version:
• OS: [e.g. iOS]
• Browser [e.g. chrome, safari]
• Plugin Version [e.g. 22]
• Device: [e.g. iPhone6]

---

Do not alter or remove anything below. The following sections will be managed by moderators only.

Acceptance criteria

• N/A

Implementation Brief

• N/A

QA Brief

Changelog entry

• Work around bug in ModSecurity by relying on only providing granted OAuth scopes in token API response.

[ernee]

Additionally, ModSecurity has been reported to affect the setup/ connection of services like Analytics and Adsense as seen in these topics:

https://wordpress.org/support/topic/i-cant-configure-analytics-and-adsense/ (Site Health avail) https://wordpress.org/support/topic/unable-to-fetch-ga-account/ (Site Health avail)

[jamesozzie]

Another potentially impacted user: https://wordpress.org/support/topic/stuck-in-sign-in-with-google-to-configure-site-kit/#post-12422263

[ernee]

@jamesozzie the topic referenced above might be related to #1034 per the users update that they changed from http to https.

[jamesozzie]

Additional information/context posted by other users at the below WordPress support topic: Can’t authenticate email then it crashes site

[aaemnnosttv]

The problem in the log above is related to a known rule in ModSecurity's free WAF rules which is designed to block access to the local .profile file. Because the OAuth flow sends the user back to the site with an auth scope that contains this string (https://www.googleapis.com/auth/userinfo.profile) in a query parameter, ModSecurity blocks it.

This isn't specific to Site Kit and would likely happen with any Google OAuth flow that included this scope.

According to this post, if the host supports ModSecurity changes via .htaccess they can add this rule to whitelist it in the scope query arg only (without disabling ModSecurity or this rule altogether):

<IfModule mod_security2.c>
     SecRuleUpdateTargetById 210580 !ARGS:'scope'
</IfModule>

This is still not a great solution though. I tried removing this scope in favor of using profile from the openID standard instead, but Google seems to add in the equivalent Google scope when returning so this wouldn't work either.

@felixarntz since the OAuth callback hits the auth proxy first, is it possible we could remove the problematic scope from the site's URL before sending them back to the site? We could then rely on the presence of the openID profile instead. This might be hard to do in a BC compatible way though.

[felixarntz]

@cole10up This was fixed on our end (not in the plugin), but I marked this as part of the release. Could you do some QA on this or follow up with @jamesozzie? Thanks!

[cole10up]

I ran some tests on my end installing application based security plugins such as (WordFence, W3TC, Redirect). Installed and activated Site Kit. No issues discovered.

Unfortunately my hosting test server doesn't have Mod Security.

In order to properly retest this we'll need to invest more time into this ticket to validate with a full setup of an instance with an Apache server running Mod Security.

[cole10up]

@jamesozzie - Here's a guide to Mod Security and where to configure it if you have a server running with cpanel and wordpress installed.

https://sysally.com/blog/how-modsecurity-protects-wordpress-website/

[jamesozzie]

@cole10up No issues from my side with either OWASP ModSecurity or Atomic Basic ModSecurity rule sets enabled, with thorough default values.

Happy to share logs or provide testing login if needed.

[cole10up]

Thanks @jamesozzie for the help. Transitioning this one to approval.

[Imagine775]

Hello, I have the same issue with the Loop "Sign in with Google to configure Site Kit" If there is a solution can i please ask you to dumb it down for a noob like me. to help me understand how can i fix it.

[jamesozzie]

@Imagine775 We'd be happy to assist you with this error. If none of the troubleshoot steps listed on the website work for you please open a WordPress support topic and we can look at your individual case.

[ndel]

Switching off security rule 210580 worked for me

[gene1wood]

You can also use this CRS plugin to modsecurity to do the same : https://github.com/coreruleset/google-oauth2-plugin